I should have made more clear that "access to schema" was entirely made up
by me. I know that is really invalid. I was just trying to make it clear
what I wanted to do. AD lets you do this for example. You can access the
schema, but anything past that requires authentication.
Hmm.. time to rephrase I think.
My question can be summed up as this: How can I ensure all applications can
access my schema while still restricting access to everything in my LDAP
directory to auth users only?
----- Original Message -----
From: "Tony Earnshaw" <tonye@billy.demon.nl>
To: "Openldap list" <openldap-software@OpenLDAP.org>
Sent: Friday, May 14, 2004 5:29 PM
Subject: Re: Schema not available with restrictive ACLs
> fre, 14.05.2004 kl. 20.10 skrev adp:
>
> > Hi again! I was working to clamp down on our openldap server with ACLs
and
> > noticed that some tools that expect to see the schema from the LDAP
server
> > (I believe this is always made available to an LDAP client, even when
using
> > an anon. bind) failed. Is there a way I can stop anon. connections but
still
> > allow schema viewing?
>
> Very recent versions prohibit anonymous binds by default. You could stop
> viewing of everything until authenticated with strict ACLs (man
> slapd.access). Though you can always view the schemas.
>
> > Our ACLs basically consists of this:
> >
> > access to attrs=userPassword
> > by * auth
> >
> > access to dn=".*,ou=People,dc=example,dc=com"
> > by dn="uid=app,ou=Accounts,dc=example,dc=com" write
> > by dn="uid=app2,ou=Accounts,dc=example,dc=com" read
> > by dn="uid=app3,ou=Accounts,dc=example,dc=com" read
> >
> > I read the slapd.conf manpage and I didn't see anything specific to ACLs
and
> > schemas.
>
> slapd.access - but for the best things, make sure you have the most
> recent OL version - preferably 2.2.11.
>
> > I was thinking of something along the lines of:
> >
> > access to schema
> > by * read
>
> There is no objectclass or other attribute called "schema". Both are
> properties of a "schema".
>
> > access to attrs=userPassword
> > by * auth
> >
> > access to dn=".*,ou=People,dc=example,dc=com"
> > by dn="uid=app,ou=Accounts,dc=example,dc=com" write
> > by dn="uid=app2,ou=Accounts,dc=example,dc=com" read
> > by dn="uid=app3,ou=Accounts,dc=example,dc=com" read
>
> Why not? The sky's the limit. Though you'll soon get to do with hard
> facts - for example everyone in a posixaccount must be able to see
> others' posixaccount details as they would see them in /etc/password -
> or with 'getent passwd person', 'id person' - or things "break". But
> other attributes can be hidden with ACLs.
>
> --Tonni
>
> --
>
> We make out of the quarrel with others rhetoric
> but out of the quarrel with ourselves, poetry.
>
> mail: billy - at - billy.demon.nl
> http://www.billy.demon.nl
>
>